Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Information Security Program practice sets

CISM Information Security Program • Complete Question Bank

CISM Information Security Program — All Questions With Answers

Complete CISM Information Security Program question bank — all 0 questions with answers and detailed explanations.

137
Questions
Free
No signup
Certifications/CISM/Practice Test/Information Security Program/All Questions
Question 1mediummultiple choice
Read the full Information Security Program explanation →

An organization's information security program has been in place for two years. During a recent audit, several findings indicated that security controls are not consistently applied across business units. The CISO has been asked to improve the program. Which of the following should the CISO do FIRST?

Question 2hardmultiple choice
Read the full NAT/PAT explanation →

A multinational corporation is designing its information security program and must decide how to balance security with business agility. The company operates in highly regulated industries with varying legal requirements. Which of the following approaches BEST aligns with industry best practices for such an environment?

Question 3easymultiple choice
Read the full Information Security Program explanation →

An organization is developing a new information security program and wants to ensure it aligns with business objectives. Which of the following is the MOST critical first step?

Question 4mediummultiple choice
Read the full Information Security Program explanation →

During a merger, two companies with different information security programs are being integrated. The combined entity must maintain compliance with PCI DSS and GDPR. The CISO is concerned about gaps in coverage due to differing maturity levels. Which of the following is the BEST approach to harmonize the programs?

Question 5mediummulti select
Read the full Information Security Program explanation →

Which TWO of the following are key components of an information security program governance structure? (Select TWO.)

Question 6hardmultiple choice
Read the full Information Security Program explanation →

Refer to the exhibit. An analyst observes the network traffic between three internal hosts and a web server. Which of the following is the MOST likely interpretation of this traffic?

Exhibit

Refer to the exhibit.

```
[SYN] 12:01:00.001 192.168.1.10:12345 -> 10.0.0.1:80
[SYN-ACK] 12:01:00.002 10.0.0.1:80 -> 192.168.1.10:12345
[ACK] 12:01:00.003 192.168.1.10:12345 -> 10.0.0.1:80
[GET /index.html] 12:01:00.004 192.168.1.10:12345 -> 10.0.0.1:80
[SYN] 12:01:00.005 192.168.1.11:23456 -> 10.0.0.1:80
[SYN-ACK] 12:01:00.006 10.0.0.1:80 -> 192.168.1.11:23456
[ACK] 12:01:00.007 192.168.1.11:23456 -> 10.0.0.1:80
[GET /login.php] 12:01:00.008 192.168.1.11:23456 -> 10.0.0.1:80
[SYN] 12:01:00.009 192.168.1.12:34567 -> 10.0.0.1:80
[SYN-ACK] 12:01:00.010 10.0.0.1:80 -> 192.168.1.12:34567
[ACK] 12:01:00.011 192.168.1.12:34567 -> 10.0.0.1:80
[GET /admin.php] 12:01:00.012 192.168.1.12:34567 -> 10.0.0.1:80
```
Question 7hardmultiple choice
Read the full Information Security Program explanation →

You are the CISO of a mid-sized financial services firm that processes credit card transactions. The company has recently expanded its operations to include a mobile payment application that stores payment credentials in the cloud. The current information security program was designed primarily for the on-premises environment and has not been updated to address cloud-specific risks. The internal audit team has identified that the cloud service provider (CSP) does not have an independent third-party audit report (e.g., SOC 2) available for review. Additionally, the mobile app development team has been deploying code without formal security review, citing the need for rapid releases to compete in the market. The CEO has expressed concern about the potential for a data breach and has asked you to recommend immediate actions to strengthen the security program while minimizing business disruption. Which of the following should you recommend as the FIRST course of action?

Question 8mediummultiple choice
Read the full NAT/PAT explanation →

An information security program is being developed for a multinational organization. Which of the following is the PRIMARY driver for aligning the security program with business objectives?

Question 9hardmultiple choice
Read the full Information Security Program explanation →

After a major security incident, the board of directors requests a review of the information security program. Which of the following metrics would be MOST useful to demonstrate the effectiveness of the program over the past year?

Question 10mediummultiple choice
Read the full Information Security Program explanation →

An information security manager is designing a program for a healthcare organization. Which of the following should be the FIRST step in establishing the program?

Question 11hardmultiple choice
Read the full Information Security Program explanation →

An organization's information security program includes a formal exception process. When reviewing an exception request to bypass a critical control, what is the MOST important factor for the information security manager to consider?

Question 12mediummulti select
Read the full Information Security Program explanation →

Which of the following are key components of an effective information security program? (Select TWO.)

Question 13hardmulti select
Read the full Information Security Program explanation →

An information security manager is evaluating the maturity of the organization's security program. Which of the following indicators suggest a high level of maturity? (Select TWO.)

Question 14hardmultiple choice
Read the full Information Security Program explanation →

Match the following security program components with their primary purpose by dragging each component to the correct description.

Question 15easymultiple choice
Read the full Information Security Program explanation →

Which of the following is the PRIMARY responsibility of a steering committee in an information security program?

Question 16mediummultiple choice
Read the full Information Security Program explanation →

An organization's information security program is based on a risk management framework. Which of the following BEST describes the role of the information security manager in this context?

Question 17hardmultiple choice
Read the full Information Security Program explanation →

An organization has implemented a balanced scorecard to measure the effectiveness of its information security program. Which of the following metrics would be MOST appropriate for the 'internal processes' perspective?

Question 18easymulti select
Read the full Information Security Program explanation →

Which of the following are key components of an information security program? (Select TWO)

Question 19mediummulti select
Read the full NAT/PAT explanation →

An information security manager is developing a security program for a multinational organization. Which of the following should be considered when defining the program scope? (Select THREE)

Question 20hardmultiple choice
Read the full Information Security Program explanation →

Match each information security program component with its correct description.

Question 21mediummultiple choice
Read the full Information Security Program explanation →

Which of the following best describes the primary purpose of an Information Security Program?

Question 22hardmultiple choice
Read the full Information Security Program explanation →

An organization's information security program has been operational for two years. The security manager is asked to propose changes to improve effectiveness. Which approach should the manager take first?

Question 23easymultiple choice
Read the full Information Security Program explanation →

Which of the following is the most important factor for ensuring the long-term success of an information security program?

Question 24mediummultiple choice
Read the full Information Security Program explanation →

An information security manager is developing a program metric to measure the effectiveness of the security awareness training. Which metric is most appropriate?

Question 25hardmultiple choice
Read the full Information Security Program explanation →

During a review of the information security program, the security manager discovers that the program's objectives are not aligned with the organization's strategic business goals. What is the best course of action?

Question 26mediummulti select
Read the full Information Security Program explanation →

Which of the following are essential components of an information security program governance framework? (Select TWO.)

Question 27hardmulti select
Read the full Information Security Program explanation →

An organization is designing its information security program and needs to ensure it supports business continuity. Which TWO of the following should be integrated into the program?

Question 28mediummultiple choice
Read the full Information Security Program explanation →

Which of the following best describes the primary purpose of a security program's governance framework?

Question 29hardmultiple choice
Read the full Information Security Program explanation →

An organization has a mature security program with documented policies and standards. However, during a recent audit, it was found that several business units are not following the mandated data classification standard. What is the MOST likely root cause?

Question 30easymultiple choice
Read the full Information Security Program explanation →

Which document should be created FIRST when establishing an information security program?

Question 31mediummultiple choice
Read the full Information Security Program explanation →

An information security manager is designing a metrics program to report to the board. Which of the following metrics would be MOST meaningful to the board?

Question 32hardmultiple choice
Read the full Information Security Program explanation →

An organization has a security program that is aligned with ISO 27001. During an internal audit, it is discovered that several controls are not being applied consistently across all departments. The MOST effective corrective action is to:

Question 33mediummulti select
Read the full Information Security Program explanation →

Which of the following are key components of an information security program's strategic plan? (Select two.)

Question 34hardmulti select
Read the full Information Security Program explanation →

A security manager is evaluating the effectiveness of the security program. Which of the following would be valid indicators of a mature program? (Select two.)

Question 35easymultiple choice
Read the full Information Security Program explanation →

Which of the following is the primary purpose of an Information Security Program?

Question 36mediummultiple choice
Read the full Information Security Program explanation →

An information security manager is developing a program metric to report to senior management. Which metric best demonstrates the effectiveness of the information security program?

Question 37hardmulti select
Read the full Information Security Program explanation →

Which of the following are key components of a mature information security program? (Select 2)

Question 38mediummulti select
Read the full NAT/PAT explanation →

An information security manager is designing a security program for a multinational organization. Which factors should be considered when developing the program governance structure? (Select 3)

Question 39hardmultiple choice
Read the full Information Security Program explanation →

Match each information security program component to its primary focus area.

Component: 1. Risk Assessment, 2. Security Awareness Training, 3. Incident Response Plan, 4. Policy Framework

Focus Areas: A. Human factors and behavior B. Structured response to events C. Identification and analysis of threats D. Governance and compliance requirements

Drag each component to its matching focus area.

Question 40mediumdrag order
Read the full Information Security Program explanation →

Arrange the steps in order for conducting a business impact analysis (BIA) in business continuity management.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 41mediumdrag order
Read the full Information Security Program explanation →

Arrange the steps for implementing a new firewall rule in an enterprise environment.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 42mediumdrag order
Read the full Information Security Program explanation →

Arrange the steps for performing a vulnerability scan on a network segment.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 43mediummatching
Read the full Information Security Program explanation →

Match each CISM domain to its focus area.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Establish and maintain a framework to align security with business objectives

Identify and manage information risk to achieve business objectives

Design and implement a security program to manage risk

Plan and manage the incident response process

Oversee and improve the security program's performance

Question 44mediummatching
Read the full Information Security Program explanation →

Match each security framework to its primary purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Specify requirements for an ISMS

Provide risk-based guidance for critical infrastructure

Govern and manage enterprise IT

Align IT services with business needs

Protect cardholder data

Question 45mediummatching
Read the full Information Security Program explanation →

Match each security role to its primary responsibility.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Senior executive responsible for security strategy

Oversees daily security operations and team

Designs security infrastructure and controls

Evaluates compliance and effectiveness of controls

Executes incident response procedures

Question 46mediummultiple choice
Read the full NAT/PAT explanation →

A multinational corporation is implementing a new information security program. The program manager needs to ensure that security requirements are integrated into the procurement process for third-party services. Which of the following is the most effective approach?

Question 47hardmultiple choice
Read the full Information Security Program explanation →

A financial institution is developing an information security program based on the COBIT framework. The board has requested a balanced scorecard to communicate program effectiveness. Which of the following metric categories would best align with the 'Internal Processes' perspective?

Question 48easymultiple choice
Read the full Information Security Program explanation →

An organization has just completed a risk assessment and identified several high-risk vulnerabilities. The security program manager needs to prioritize remediation efforts. Which of the following should be the primary factor in determining priority?

Question 49mediummultiple choice
Read the full Information Security Program explanation →

A company's security program includes a policy that all employees must use strong passwords and change them every 90 days. However, the recent internal audit shows that 60% of employees have passwords that do not meet the strength requirements. What is the most effective corrective action?

Question 50hardmultiple choice
Read the full NAT/PAT explanation →

A global e-commerce company is designing its information security program. The CISO wants to implement a defense-in-depth strategy for the web application layer. Which combination of controls best achieves this objective?

Question 51easymultiple choice
Read the full Information Security Program explanation →

A small business owner wants to establish an information security program but has limited budget and staff. Which of the following frameworks would be most appropriate to guide the program?

Question 52mediummultiple choice
Read the full Information Security Program explanation →

An organization has a mature security program but is experiencing an increase in successful social engineering attacks. The incident response team has confirmed that the attacks are bypassing current controls. What should the program manager do first?

Question 53hardmultiple choice
Read the full Information Security Program explanation →

A company's security program includes a policy that prohibits the use of personal devices for work. However, the CISO discovers that several executives are using personal tablets to access corporate email. What is the most appropriate action for the CISO to take?

Question 54easymultiple choice
Read the full Information Security Program explanation →

Which of the following best describes the primary purpose of an information security program?

Question 55mediummulti select
Read the full Information Security Program explanation →

Which TWO of the following are essential components of a security program governance structure?

Question 56hardmulti select
Read the full Information Security Program explanation →

Which TWO of the following are key performance indicators (KPIs) that demonstrate the effectiveness of a security awareness program?

Question 57easymulti select
Read the full Information Security Program explanation →

Which THREE of the following are typically included in an information security program budget?

Question 58mediummultiple choice
Read the full Information Security Program explanation →

An auditor reviews the BYOD policy and notes that mobile device management (MDM) logs show several devices without encryption. The policy has been in effect for 6 months. Which of the following is the most likely reason for this non-compliance?

Exhibit

Refer to the exhibit.
```
[Policy: BYOD]
Version: 2.0
Last Review: 2024-01-15
- Employees may connect personal devices to corporate network.
- Devices must be registered with MDM.
- All devices must have full disk encryption enabled
- Devices must run the latest OS version within 30 days of release.
- Containers for corporate data are required.
- Non-compliant devices will be blocked after 7 days grace period.
```
Question 59hardmultiple choice
Read the full VPN explanation →

The security analyst reviews the SIEM alert and finds that the source IP is from a trusted VPN broker used by remote employees. What is the most likely explanation for the alert?

Exhibit

Refer to the exhibit.
```
Event Log: SIEM Alert #4521
Timestamp: 2024-08-15 14:23:45 UTC
Rule: Failed login attempts > 5 in 10 minutes
Source IP: 203.0.113.5
Target: User 'admin' on server DC-01
Count: 12 attempts
Status: Alert generated, no automated action
Comment: IP belongs to external VPN broker
```
Question 60easymultiple choice
Read the full Information Security Program explanation →

Based on the risk register entry, what is the primary gap in the current controls?

Exhibit

Refer to the exhibit.
```
Risk Register Entry:
ID: RR-102
Risk: Data loss from unencrypted laptops
Current Controls: Full disk encryption policy (not enforced)
Likelihood: 3 (Medium)
Impact: 5 (Very High)
Risk Score: 15
Proposed Control: Enforce encryption via MDM
Residual Risk after control: 3 (Low)
```
Question 61easymultiple choice
Read the full Information Security Program explanation →

A small business is developing its first information security program. Which approach is most effective?

Question 62mediummultiple choice
Read the full Information Security Program explanation →

An organization's security program has been in place for two years, but recently several security incidents occurred due to lack of user awareness. What is the most likely root cause?

Question 63hardmultiple choice
Read the full NAT/PAT explanation →

A multinational corporation is designing a global information security program. Which governance structure best ensures consistent security while allowing regional flexibility?

Question 64easymultiple choice
Read the full Information Security Program explanation →

Which of the following is the primary purpose of an information security program?

Question 65mediummultiple choice
Read the full Information Security Program explanation →

A security manager is tasked with building a business case for a new security program. Which metric is most persuasive to senior management?

Question 66hardmultiple choice
Read the full Information Security Program explanation →

After a data breach, the CISO reviews the security program. The breach exploited a known vulnerability in a legacy system that was deemed 'acceptable risk' two years ago. What should the CISO do to improve the program?

Question 67easymultiple choice
Read the full Information Security Program explanation →

An organization wants to ensure that its security program aligns with business objectives. Which activity is most important?

Question 68mediummultiple choice
Read the full Information Security Program explanation →

A company's security program includes a set of controls based on a risk assessment. During an audit, several controls are found to be ineffective. What should the security manager do first?

Question 69hardmultiple choice
Read the full Information Security Program explanation →

A security program includes multiple metrics. Which metric best indicates the program's effectiveness in reducing overall risk?

Question 70easymulti select
Read the full Information Security Program explanation →

Which TWO of the following are essential components of an information security program charter?

Question 71mediummulti select
Read the full Information Security Program explanation →

Which THREE of the following are key performance indicators (KPIs) for an information security program?

Question 72hardmulti select
Read the full Information Security Program explanation →

Which THREE of the following are critical success factors for implementing an information security program?

Question 73easymultiple choice
Read the full Information Security Program explanation →

Based on the exhibit, which of the following is true about traffic from the internet to the internal network 10.0.0.0/8?

Exhibit

Refer to the exhibit.

Exhibit:
```
access-list 100 deny ip any 10.0.0.0 0.255.255.255
access-list 100 permit tcp 192.168.1.0 0.0.0.255 host 10.0.0.5 eq 80
access-list 100 deny ip any any
```
The ACL is applied inbound on the external interface of the border router.
Question 74mediummultiple choice
Read the full Information Security Program explanation →

Based on the exhibit, what is the most significant security gap in this configuration?

Exhibit

Refer to the exhibit.

Exhibit:
```
{
  "securityControls": {
    "firewall": {
      "state": "active",
      "rules": [
        {"action": "allow", "src": "any", "dst": "web-servers", "port": 443},
        {"action": "allow", "src": "web-servers", "dst": "db-servers", "port": 3306},
        {"action": "deny", "src": "any", "dst": "any", "port": "any"}
      ]
    },
    "intrusionDetection": {
      "state": "active",
      "signatures": ["critical", "high"],
      "action": "alert"
    },
    "vendorBaseline": "CIS Level 1"
  }
}
```
This JSON policy is for a web application environment. The db-servers network is considered internal.
Question 75hardmultiple choice
Read the full Information Security Program explanation →

Based on the exhibit, what is the most likely vulnerability that an attacker could exploit?

Exhibit

Refer to the exhibit.

Exhibit: Network Architecture Description

The network consists of three zones: External, DMZ, and Internal. The external interface connects to the internet. The DMZ hosts public-facing web servers and an email relay. The internal zone hosts database servers and application servers. A firewall separates External from DMZ, and another firewall separates DMZ from Internal. The firewall rules are:
- External to DMZ: allow HTTP, HTTPS, SMTP.
- DMZ to Internal: allow MySQL (3306) from web servers to database servers, and allow LDAP (389) from application servers to domain controllers.
- Internal to External: allow outbound HTTP/HTTPS from application servers.
- All other traffic is denied.
The IDS is placed on the DMZ segment, monitoring traffic between DMZ and Internal. The IDS signatures include critical, high, and medium severity, and the action is 'alert and log'.
Question 76mediummultiple choice
Read the full Information Security Program explanation →

A company is implementing an information security program. Which of the following is the PRIMARY reason to align the program with business objectives?

Question 77easymultiple choice
Read the full Information Security Program explanation →

An organization's security program includes a risk assessment process. Which step should be performed FIRST?

Question 78hardmultiple choice
Read the full Information Security Program explanation →

After a data breach, the CISO is updating the incident response plan. Which of the following is MOST critical to include?

Question 79mediummultiple choice
Read the full Information Security Program explanation →

An organization is developing an information security program for a new subsidiary. Which approach BEST ensures that the subsidiary's program complements the parent's?

Question 80easymultiple choice
Read the full Information Security Program explanation →

The security team is designing a security awareness program. Which topic should be prioritized FIRST?

Question 81hardmultiple choice
Read the full Information Security Program explanation →

A financial institution's security program must comply with PCI DSS, GDPR, and SOX. Which approach is MOST efficient to manage overlapping compliance requirements?

Question 82mediummultiple choice
Read the full Information Security Program explanation →

An organization's security program includes metrics to measure performance. Which metric BEST indicates the effectiveness of the vulnerability management process?

Question 83easymultiple choice
Read the full Information Security Program explanation →

A company has a small security team and limited budget. Which initial investment provides the MOST value for building an effective security program?

Question 84hardmultiple choice
Read the full Information Security Program explanation →

During a security program review, the auditor finds that incident response procedures have not been tested in over two years. What is the MOST significant risk arising from this finding?

Question 85easymulti select
Read the full Information Security Program explanation →

Which TWO of the following are primary objectives of a security awareness program?

Question 86mediummulti select
Read the full Information Security Program explanation →

Which THREE elements are essential for an effective information security governance framework?

Question 87hardmulti select
Read the full Information Security Program explanation →

Which THREE characteristics indicate a higher maturity level in a security program maturity model?

Question 88easymultiple choice
Read the full Information Security Program explanation →

Refer to the exhibit. The dashboard shows the incident response plan test is overdue. What is the MOST immediate risk?

Exhibit

CISO Quarterly Report:
- Patch Compliance (30-day window): 85%
- Critical Vulnerability Remediation (48h): 95%
- High-Risk Vulnerability Remediation (60-day): 88%
- Risk Acceptance: 3% of findings
- Incident Response Plan Test: Annual, last test 14 months ago.
Question 89hardmultiple choice
Read the full Information Security Program explanation →

Refer to the exhibit. An audit reveals that 20% of privileged accounts were approved by the same manager without secondary review. Which control deficiency is MOST relevant to this finding?

Exhibit

Access Control Policy:
- Users must be provisioned within 24 hours of request.
- Access reviews are conducted quarterly.
- Privileged accounts require manager approval.
- Default deny for all new accounts.
- Audit logs retained for 90 days.
Question 90mediummultiple choice
Read the full Information Security Program explanation →

Refer to the exhibit. The CISO wants to improve the program. Which recommendation BEST addresses the main gap shown in the dashboard?

Exhibit

Security Program Dashboard:
- Patch Compliance (30-day window): 85%
- Critical Vulnerability Remediation (48h): 95%
- High-Risk Vulnerability Remediation (60-day): 88%
- Risk Acceptance: 3% of findings
- Incident Response Plan Test: Annual, last test 14 months ago.
Question 91easymultiple choice
Read the full Information Security Program explanation →

A security manager is developing a new information security program for a mid-sized company. Which of the following should be the FIRST step?

Question 92mediummultiple choice
Read the full Information Security Program explanation →

An organization's security program includes a set of metrics reported quarterly to the board. Which metric best demonstrates the effectiveness of the security awareness program?

Question 93hardmultiple choice
Read the full Information Security Program explanation →

A large financial institution is updating its information security program to align with a new regulatory framework. The program currently has a decentralized governance model. Which of the following is the MOST significant risk of maintaining a decentralized model?

Question 94easymultiple choice
Read the full Information Security Program explanation →

Which of the following is the PRIMARY purpose of a security program's key performance indicators (KPIs)?

Question 95mediummultiple choice
Read the full Information Security Program explanation →

An organization has implemented a new security policy requiring multi-factor authentication for all remote access. Several users complain about the inconvenience. What is the BEST course of action for the security manager?

Question 96hardmultiple choice
Read the full Information Security Program explanation →

A security program manager is reviewing the results of a recent internal audit that identified several security gaps. The manager must prioritize remediation efforts. Which factor should be given the MOST weight?

Question 97easymultiple choice
Read the full Information Security Program explanation →

An organization wants to ensure its information security program is aligned with business objectives. Which of the following is the BEST approach?

Question 98mediummultiple choice
Read the full Information Security Program explanation →

A security manager is designing a metrics dashboard for executive management. Which of the following metrics is MOST useful for demonstrating the value of the security program?

Question 99hardmultiple choice
Read the full Information Security Program explanation →

During a merger, the acquiring company's security program must integrate with the target company's program. What is the HIGHEST priority action?

Question 100mediummulti select
Read the full Information Security Program explanation →

An information security program must include elements to ensure continuous improvement. Which TWO of the following are MOST essential for continuous improvement?

Question 101hardmulti select
Read the full Information Security Program explanation →

A security program manager is selecting metrics to report to the board. Which THREE metrics provide the BEST indication of the program's effectiveness?

Question 102easymulti select
Read the full Information Security Program explanation →

When establishing an information security program, which TWO of the following are key components of governance?

Question 103mediummultiple choice
Read the full Information Security Program explanation →

A company is implementing a new security program. The CISO wants to ensure alignment with business objectives. Which approach is best?

Question 104easymultiple choice
Read the full Information Security Program explanation →

Which metric is most indicative of security program effectiveness?

Question 105hardmultiple choice
Read the full NAT/PAT explanation →

A multinational organization needs to comply with GDPR and CCPA. What is the best approach for the information security program?

Question 106mediummultiple choice
Read the full Information Security Program explanation →

During a security audit, several deviations from policy are found. What should the security manager do first?

Question 107easymultiple choice
Read the full Information Security Program explanation →

Which is a key component of an information security program?

Question 108hardmultiple choice
Read the full Information Security Program explanation →

A security program lacks executive support. What is the best strategy to gain support?

Question 109mediummultiple choice
Read the full Information Security Program explanation →

In developing a security awareness program, which factor is most important for effectiveness?

Question 110easymultiple choice
Read the full Information Security Program explanation →

Which document should be reviewed and updated at least annually?

Question 111hardmultiple choice
Read the full Information Security Program explanation →

An organization has multiple business units with different risk tolerances. How should the security program address this?

Question 112mediummulti select
Read the full Information Security Program explanation →

Which TWO are essential elements of an information security program?

Question 113hardmulti select
Read the full Information Security Program explanation →

Which THREE are key performance indicators (KPIs) for an information security program?

Question 114easymulti select
Read the full Information Security Program explanation →

Which THREE are components of the Plan phase in a security program lifecycle (e.g., ISO 27001 PDCA)?

Question 115hardmultiple choice
Read the full NAT/PAT explanation →

A large healthcare organization recently experienced a ransomware attack that encrypted patient records (ePHI). The attack originated from a phishing email that bypassed the email security gateway. The security program includes annual security awareness training, but post-incident analysis reveals that employees often ignore suspicious emails. The CISO wants to revise the program to reduce the likelihood of similar incidents. Which course of action is most effective?

Question 116easymultiple choice
Read the full NAT/PAT explanation →

A multinational organization is establishing an information security program. The Chief Information Security Officer (CISO) wants to ensure the program aligns with business objectives and is accountable to senior management. Which of the following governance structures would best support this goal?

Question 117mediummultiple choice
Read the full NAT/PAT explanation →

During a security assessment, an organization discovers that its patch management process is not consistently applied across all systems. Which of the following controls would best address this deficiency as part of the information security program?

Question 118hardmultiple choice
Read the full Information Security Program explanation →

An organization has implemented a data classification policy but notices that employees often mark documents as 'internal use only' even when they contain personally identifiable information (PII). Which of the following is the most effective corrective action for the information security program?

Question 119mediummultiple choice
Read the full Information Security Program explanation →

A company is designing its information security program and wants to ensure that it meets regulatory requirements across multiple jurisdictions. Which of the following approaches is most appropriate?

Question 120easymultiple choice
Read the full Information Security Program explanation →

An organization's information security program recently experienced a ransomware attack that encrypted critical data. Which of the following program components should be improved first to prevent recurrence?

Question 121hardmultiple choice
Read the full Information Security Program explanation →

A large financial institution is maturing its information security program and wants to move from a reactive to a proactive posture. Which of the following initiatives would best support this transition?

Question 122easymulti select
Read the full Information Security Program explanation →

Which TWO of the following are key performance indicators (KPIs) for measuring the effectiveness of an information security program?

Question 123mediummulti select
Read the full Information Security Program explanation →

Which TWO of the following are essential components of an information security program charter?

Question 124hardmulti select
Read the full Information Security Program explanation →

Which THREE of the following are common challenges in implementing an information security program across a large enterprise?

Question 125easymultiple choice
Read the full Information Security Program explanation →

You are the CISO of a mid-sized manufacturing company. The company has grown rapidly through acquisitions, and each subsidiary has its own information security program. There is no centralized governance, and recent security incidents have occurred due to inconsistent policies. The board has asked you to create a unified information security program that balances flexibility with control. Each subsidiary has unique operational processes and varying levels of security maturity. You have limited budget and cannot replace all local security teams. Which approach should you take?

Question 126mediummultiple choice
Read the full Information Security Program explanation →

You are the information security program manager at a global financial services firm. The firm has a mature security program, but the CISO is concerned that the program is not keeping pace with emerging threats such as supply chain attacks and advanced persistent threats (APTs). Additionally, the program currently focuses heavily on compliance with regulations (e.g., PCI DSS, GDPR) rather than proactive risk management. The board wants to see a more strategic approach to information security. However, the compliance team is large and influential, and they resist changes that might reduce their role. You have been asked to propose a new program model that addresses these concerns while maintaining regulatory compliance. What should you do?

Question 127hardmultiple choice
Read the full NAT/PAT explanation →

You are the CISO of a large healthcare organization that has recently experienced a data breach due to an insider who exfiltrated patient data over several months. The breach was discovered by an external partner. The organization's information security program includes data loss prevention (DLP) tools, but they were not configured to monitor outbound data from the compromised system. Additionally, user activity monitoring (UAM) was only applied to privileged users, not to regular staff. The board demands a comprehensive improvement plan that will prevent similar incidents. However, there are concerns about employee privacy and budget constraints. The organization has a strong culture of trust and minimal monitoring. Which of the following should be the first priority in the revised program?

Question 128easymultiple choice
Read the full NAT/PAT explanation →

You are the information security program manager for a government agency. The agency has a highly regulated environment and is in the process of updating its incident response plan. During a tabletop exercise, it becomes clear that the detection capabilities are strong, but the response coordination between IT, legal, and public affairs is poor. This caused delays in containing a simulated ransomware attack. The existing program includes an incident response policy but no formal procedures for cross-department coordination. The agency's leadership wants quick improvement with minimal budget impact. What should you recommend?

Question 129mediummultiple choice
Read the full Information Security Program explanation →

You are the CISO of a retail company that is planning to implement a new e-commerce platform. The information security program currently consists of a set of high-level policies, but there are no detailed standards or guidelines for secure development. The development team uses agile methodologies and is accustomed to rapid releases. They have resisted security reviews in the past, citing delays. You need to integrate security into the development lifecycle without causing friction. The company's risk appetite is moderate; they accept some risk for speed but not if it leads to major breaches. The board expects you to manage this risk effectively. Which approach should you take?

Question 130hardmultiple choice
Read the full NAT/PAT explanation →

You are the director of information security at a multinational corporation that operates in many countries with conflicting data privacy laws. The company's information security program includes a data classification policy and a data retention schedule, but there is no consistent method for handling cross-border data flows. Recently, a regulator in Country A fined the company for transferring personal data to Country B, which does not provide adequate protection. The legal department recommends implementing a binding corporate rules (BCR) approach, but the IT department says it would be too complex to implement across all systems. You must update the program to ensure compliance while minimizing operational impact. The board wants a solution that can be implemented within one year with reasonable cost. What should you do?

Question 131mediummulti select
Read the full NAT/PAT explanation →

A multinational corporation is designing an information security program to align with diverse business units and regulatory requirements across different regions. The CISO is prioritizing key components that ensure the program is both comprehensive and adaptable. Which TWO components are most critical for achieving this alignment?

Question 132easymultiple choice
Read the full Information Security Program explanation →

A small e-commerce company with 50 employees and limited IT budget is establishing its first formal information security program. The company processes customer payment data and must comply with PCI DSS. The CEO wants to balance security with operational costs. The IT manager proposes investing in a state-of-the-art security information and event management (SIEM) system costing $100,000 annually. The CISO, however, recommends a more phased approach. Considering the company's size, budget constraints, and compliance requirements, what should be the CISO's primary recommendation?

Question 133hardmultiple choice
Read the full Information Security Program explanation →

A global financial services firm operates in 30 countries and is subject to multiple data protection regulations, including GDPR, CCPA, and various financial services directives. The firm has a centralized information security program but struggles with inconsistent enforcement across regions. The CISO is under pressure to demonstrate compliance to the board while reducing costs. The compliance team suggests creating a separate security program for each regulation, while the IT audit team recommends adopting the most stringent regulation as the baseline. The CISO must decide on a strategy that balances compliance, efficiency, and cost. What is the best approach for the CISO to take?

Question 134easymultiple choice
Read the full Information Security Program explanation →

An organization is updating its information security program to align with business objectives. Which of the following is the PRIMARY benefit of integrating security risk management into the strategic planning process?

Question 135mediummulti select
Read the full Information Security Program explanation →

During an audit of the information security program, the auditor identifies that several critical systems are not included in the incident response plan. Which of the following are the MOST appropriate actions for the security manager to take? (Select TWO.)

Question 136hardmultiple choice
Read the full Information Security Program explanation →

An information security manager reviews the suspicious activity log shown in the exhibit. The payroll file is supposed to be encrypted and only accessible internally. What is the MOST likely cause for the failed download?

Exhibit

Refer to the exhibit.
Suspicious Activity Log:
Timestamp: 2025-03-21 14:32:15 UTC
Event ID: 5678
Source IP: 192.168.1.50
User: jdoe
Action: File download
File: payroll_encrypted.xlsx
Status: Failed - Encryption key not found
Additional Info: Downloaded using HTTPS from external IP 203.0.113.45
Question 137hardmultiple choice
Read the full NAT/PAT explanation →

A multinational corporation with a decentralized information security program has recently experienced a data breach involving customer PII. The breach originated from a regional office that had not implemented the global security baseline due to local IT staff claiming 'unique operational requirements.' The CISO has tasked the security manager with revising the program to prevent recurrence. The organization has 12 regional offices, each with its own IT leadership, and a central security team. The budget is tight, and there is resistance to centralized control. Which of the following is the BEST course of action for the security manager?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

CISM Practice Test 1 — 10 Questions→CISM Practice Test 2 — 10 Questions→CISM Practice Test 3 — 10 Questions→CISM Practice Test 4 — 10 Questions→CISM Practice Test 5 — 10 Questions→CISM Practice Exam 1 — 20 Questions→CISM Practice Exam 2 — 20 Questions→CISM Practice Exam 3 — 20 Questions→CISM Practice Exam 4 — 20 Questions→Free CISM Practice Test 1 — 30 Questions→Free CISM Practice Test 2 — 30 Questions→Free CISM Practice Test 3 — 30 Questions→CISM Practice Questions 1 — 50 Questions→CISM Practice Questions 2 — 50 Questions→CISM Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Information Security ProgramInformation Security Risk ManagementInformation Security GovernanceIncident Management

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Information Security Program setsAll Information Security Program questionsCISM Practice Hub